1. Introduction and Scope
This Data Processing Agreement ("DPA") forms part of the agreement between Blue Beard Solutions Inc. ("Processor," "we," "us") and the entity subscribing to the MayDay-IC service ("Controller," "you," "your") for the provision of the MayDay-IC incident command platform (the "Service"). This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applies to all processing of personal data by the Processor on behalf of the Controller in connection with the Service.
This DPA supplements and is incorporated into the Terms of Service and any applicable subscription agreement. In the event of a conflict between this DPA and any other agreement between the parties, this DPA shall prevail with respect to the processing of personal data.
2. Definitions
- "Data Controller" means the entity that determines the purposes and means of the processing of personal data. In the context of the Service, the Controller is the subscribing emergency services agency or organization.
- "Data Processor" means the entity that processes personal data on behalf of the Controller. Blue Beard Solutions Inc. acts as the Processor with respect to the Service.
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
- "Processing" means any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
- "Sub-processor" means any third party appointed by the Processor to process personal data on behalf of the Controller.
- "Data Subject" means an identified or identifiable natural person whose personal data is processed.
- "Supervisory Authority" means an independent public authority established by an EU Member State pursuant to Article 51 of the GDPR.
- "Standard Contractual Clauses" (SCCs) means the contractual clauses adopted by the European Commission for the transfer of personal data to third countries.
3. Scope and Purpose of Processing
The Processor shall process personal data solely for the following purposes:
- Providing and maintaining the MayDay-IC incident command platform
- Facilitating emergency incident coordination and management
- Enabling patient triage and medical care coordination
- Supporting resource allocation and logistics management
- Generating AI-assisted triage recommendations and incident analysis
- Processing payments and managing subscriptions
- Providing technical support and service improvements
- Maintaining audit logs and compliance documentation
- Fulfilling legal and regulatory obligations
The Processor shall not process personal data for any purpose other than those specified above or as otherwise instructed in writing by the Controller.
4. Types of Personal Data Processed
| Data Type | Description |
|---|---|
| Identity Data | Names, email addresses, call signs, badge numbers, agency affiliations |
| Professional Data | Job titles, certifications, training records, duty status, shift assignments |
| Geolocation Data | GPS coordinates of responders during active incidents |
| Protected Health Information (PHI) | Patient triage data, medical assessments, vital signs, treatment records |
| Communication Data | PTT transmissions, IC broadcasts, chat messages |
| Financial Data | Billing information, subscription details (processed via Stripe) |
| Technical Data | Device information, IP addresses, session tokens, usage logs |
| Media Data | Damage assessment photos, evidence log entries, incident documentation |
5. Categories of Data Subjects
The following categories of data subjects may have their personal data processed under this DPA:
- Emergency Responders: Firefighters, paramedics, EMTs, law enforcement officers, search and rescue personnel, hazmat specialists, and other emergency services personnel using the Service.
- Patients: Individuals receiving emergency medical care whose triage and treatment data is recorded in the Service during incident operations.
- Agency Personnel: Administrators, dispatchers, training coordinators, logistics officers, IC officers, and other personnel involved in incident command operations.
- Hospital Staff: Medical professionals at receiving facilities who interact with the hospital portal features of the Service.
- Government Officials: Emergency management officials, public information officers, and government representatives who access incident data.
6. Processor Obligations
The Processor shall:
- Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless required to do so by applicable law, in which case the Processor shall inform the Controller of that legal requirement before processing (unless prohibited by law).
- Ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by Article 32 of the GDPR.
- Not engage another processor (sub-processor) without prior specific or general written authorization of the Controller.
- Assist the Controller in ensuring compliance with obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor.
- At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires storage of the personal data.
- Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
- Immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes the GDPR or other applicable data protection provisions.
7. Sub-processor Requirements
The Controller provides general authorization for the Processor to engage sub-processors for the provision of the Service. The Processor shall:
- Maintain an up-to-date list of sub-processors, available at /legal/subprocessors.
- Inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller at least 30 days to object to such changes.
- Impose the same data protection obligations as set out in this DPA on any sub-processor by way of a contract or other legal act, ensuring that the sub-processor provides sufficient guarantees to implement appropriate technical and organizational measures.
- Remain fully liable to the Controller for the performance of each sub-processor's obligations.
If the Controller objects to a new sub-processor on reasonable grounds relating to data protection, the parties shall discuss the objection in good faith. If no resolution can be reached, the Controller may terminate the affected portion of the Service without penalty.
8. Data Security Measures
The Processor implements and maintains the following technical and organizational security measures:
Technical Measures
- AES-256 encryption of personal data at rest
- TLS 1.2+ encryption of personal data in transit
- Role-based access controls (RBAC) with principle of least privilege
- Multi-factor authentication for administrative access
- Automated vulnerability scanning and patch management
- Database-level access controls and query logging
- Secure key management and rotation
- Network segmentation and firewall protection
- Intrusion detection and prevention systems
Organizational Measures
- Information security policies and procedures
- Employee background checks and security training
- Confidentiality agreements for all personnel
- Incident response plan and procedures
- Regular security assessments and penetration testing
- Business continuity and disaster recovery planning
- Data classification and handling procedures
- Access review and recertification processes
9. Breach Notification
In the event of a personal data breach, the Processor shall:
- Notify the Controller without undue delay, and in any event no later than 72 hours after becoming aware of the breach, in accordance with Article 33 of the GDPR.
- Provide the Controller with sufficient information to enable the Controller to meet its obligations to report the breach to the relevant supervisory authority and to notify affected data subjects.
- Include in the notification: the nature of the breach, categories and approximate number of data subjects concerned, categories and approximate number of personal data records concerned, likely consequences, and measures taken or proposed to address the breach.
- Cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the breach.
- Document all personal data breaches, including the facts, effects, and remedial actions taken, for audit and compliance purposes.
For breaches involving Protected Health Information (PHI), the Processor shall also comply with the breach notification requirements under HIPAA (45 CFR Part 164, Subpart D) and notify the Controller within 24 hours of discovery.
10. Data Subject Request Assistance
The Processor shall assist the Controller in fulfilling its obligation to respond to data subject requests exercising their rights under Chapter III of the GDPR, including:
- Right of Access (Article 15): Providing the Controller with copies of personal data upon request.
- Right to Rectification (Article 16): Correcting inaccurate personal data upon instruction from the Controller.
- Right to Erasure (Article 17): Deleting personal data upon instruction from the Controller, subject to legal retention requirements.
- Right to Restriction (Article 18): Restricting processing upon instruction from the Controller.
- Right to Data Portability (Article 20): Providing personal data in a structured, commonly used, machine-readable format.
- Right to Object (Article 21): Ceasing processing upon instruction from the Controller where the data subject has objected.
The Processor shall promptly notify the Controller if it receives a data subject request directly and shall not respond to such request without the Controller's prior written authorization, unless required by applicable law.
11. Data Deletion and Return
Upon termination or expiry of the Service agreement, the Processor shall, at the Controller's election:
- Return all personal data to the Controller in a structured, commonly used, machine-readable format within 30 days of termination; or
- Securely delete all personal data and certify such deletion in writing within 30 days of termination.
The Processor may retain personal data to the extent required by applicable law (including HIPAA retention requirements), provided that the Processor shall ensure the confidentiality of such data and shall not process it for any purpose other than compliance with the applicable legal obligation. The Processor shall inform the Controller of any such retention requirement.
12. Auditing Rights
The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller. The following provisions apply:
- The Controller shall provide at least 30 days' written notice of any audit request.
- Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's operations.
- The Controller shall bear the costs of any audit, unless the audit reveals material non-compliance by the Processor.
- The Processor may satisfy audit requests by providing relevant third-party audit reports (e.g., SOC 2 Type II), certifications, or other documentation.
- All information obtained during an audit shall be treated as confidential by the Controller and its auditors.
- Audits shall be limited to once per calendar year, unless a data breach or material non-compliance has occurred.
13. International Data Transfers
Personal data processed under this DPA is stored and processed in the United States. Where personal data is transferred from the European Economic Area, United Kingdom, or Switzerland to the United States, the following safeguards apply:
- The parties agree to the Standard Contractual Clauses (SCCs) adopted by the European Commission (Commission Implementing Decision (EU) 2021/914), which are incorporated into this DPA by reference.
- For transfers from the United Kingdom, the parties agree to the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office.
- For transfers from Switzerland, the parties agree to the applicable SCCs as recognized by the Swiss Federal Data Protection and Information Commissioner.
- The Processor shall implement supplementary measures as necessary to ensure an adequate level of protection for transferred personal data, taking into account the legal framework of the recipient country.
The Processor shall promptly notify the Controller of any changes in applicable law that may affect the adequacy of the transfer safeguards.
14. Liability
Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Terms of Service, except that:
- Neither party's liability for breaches of its data protection obligations shall be limited to the extent that such limitation would be prohibited by applicable data protection law.
- The Processor shall be liable for damages caused by processing that does not comply with the GDPR or with the Controller's lawful instructions, in accordance with Article 82 of the GDPR.
- The Processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.
Each party shall indemnify the other against all claims, actions, third-party claims, losses, damages, and expenses incurred by the indemnified party arising out of the indemnifying party's breach of this DPA.
15. Term and Termination
This DPA shall remain in effect for the duration of the Service agreement and shall automatically terminate upon the termination or expiry of the Service agreement, subject to the following:
- Obligations relating to the return or deletion of personal data (Section 11) shall survive termination.
- Obligations relating to confidentiality shall survive termination indefinitely.
- The Controller may terminate this DPA immediately if the Processor materially breaches any of its obligations and fails to cure such breach within 30 days of written notice.
- Either party may terminate this DPA if the other party becomes insolvent or enters into bankruptcy or similar proceedings.
16. Governing Law
This DPA shall be governed by and construed in accordance with the laws of the State of Delaware, United States, without regard to its conflict of laws principles, except to the extent that the GDPR or other mandatory data protection laws require otherwise. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of the State of Delaware, or, where applicable, the courts of the European Union Member State in which the Controller is established.
17. Contact Information
Data Processing Inquiries
Blue Beard Solutions Inc.
Data Protection Officer
General DPA inquiries: info@maydayic.com
HIPAA-related inquiries: info@maydayic.com
Legal inquiries: info@maydayic.com